Hi,
We have One domain and which has 10 DC with mix of windows 2008r2, windows 2012 and windows 2016. The current domain functional level is windows 2008 r2. All FSMO rolls are on windows 2008r2 server. Now we want to upgrade domain functional level to windows 2016.How can we do? Now raise domain functional level no option to upgrade. Our all DCs are working fine without any issues. Please guide me with tutorial if possible. We have ADFS and ADFS proxy servers with windows 2008r2 OS.
Thanks.
We have Windows 2012 R2 domain and in the process of upgrading to 2016 AD.
I want to create customize password expiration message in active directory that notifies my domain users that their password with customized message with guidelines.
How can i create
customized password expiration message?
Tek-Nerd
Hello!
I have two Windows Server 2012 R2 DC's which I'd like to demote from a domain leaving two Windows Server 2019 DC's to remain as the sole DC's. When I try to demote the 2012 R2 DC's I get a message "The operation failed because: The Active Directory Domain Services Installation Wizard (DCpromo.exe) would not configure the computer account <2012 DC> on the remote Active Directory Domain Controller <2019 DC>. Verify that the user running dcpromo.exe is granted the "Enable computer and user accounts to be trusted for delegation" user right in the Default Domain Controllers Policy. The error was: Access is denied".
I tried both my domain admin account and the domain Administrator account and both get this same error. Both of these accounts are added to the "Enable computer and user accounts to be trusted for delegation" user right in the Default Domain Controllers Policy.
"repadmin" shows that everything is replicated between all DC's. In fact the only hint that I see of any AD problem is that in the Group Policy Management is that from "Detect Now" on the status page, the two older DC's show that replication in progress. (And this never changes).
Anyone have any idea what I should look at? I suppose I could just do a "Force" on the DCPROMO demotion and then clean up the metadata by following the steps to manually remove a failed DC.
I appreciate anyone's help!
dave
I have installed LAPS on client computers using GPO. It is only the .dll file that was installed, the Fat Client UI is missing.
How do I correct that?
We have a linux machine comp1 which is connected to Microsoft Windows Active Directory i.e we have a machine account created on the AD server. Along with that, we have domain user accounts created on AD server. Hence when those users login to comp1, they are authenticated using their AD accounts.
As per my limited knowledge, the machine (comp1) account secret/password keeps changing periodically and this change is initiated by the client (comp1). Once this the secret/password for comp1 account is updated on the AD server, then it is updated locally on comp1. For Linux, there is a process which handles this in the background.
In our customer's environment, I observed in the logs that, the secret/password change was done on 11/21 after which we started seeing PreAuthentication failures.
My question is that, is it possible that the secret/password change for Machine Account which it initiated fail to get updated on AD server resulting into a miss match ? Is there any similar known issue for any windows AD server versions i.e Machine Account password update fails?
Guys,
When in a DFS environment, how should i create roaming profiles and home folders ? Anyone who has a decent tutorial for that?
I dont think it would be wise to let the profiles be synced. The homefolders could be synced by DFS, i guess.
thanks in advance.
Hi I have a problem with GPO. We have LAPS configured. All computers located in one OU named Corp_Computers. Also we have group named "workstation_admins"( members are helpdesks) which granted to read LAPS passwords. Also granted member of local administrators group of computers. Now we want to create separate OUs in Corp_Computers OU for sub company computers and create groups for each for helpdesk users( exp : a_workstation_admins). Remove parent GPO and create GPO for each OU for local administrators group membership. But thinks get stranger from this. When i applied GPO for A_Corp_Computers( Local admins GPO setting configured with GPO preferences) workstation_admins and a_workstation_admins in here. I create separate OU and try without any configured GPO only default domain policy(unconfigured) and did gpupdate /force but workstation_admins appears in Administrators goup.
Sorry for my bad English
Im are planning to migrate ad server from ws2008 to ws2012 (new server hardware), and i plan to use a different server name. Is it possible to maintain the old server name as an alias, the purpose of doing this is to make sure no issue for any application that currently using the old name for querying ad server.
Ive found some article about renaming ad server, is this valid for my situation
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816601(v=ws.10)
Hi,
Hoping someone could answer my question. We have a customer on Domain A currently with a domain trust to our environment Domain B, we host an RDS collection and they authenticate with their Domain A credentials to be able to access their Remote Apps over a site-to-site VPN. They wish to remove the Two-Way domain trust now and suggested using ADFS for authentication.
Is this possible? Without a domain trust how can we authenticate their users to our environment without their users needing to log in multiple times?
Thanks
C
I have been using Windows Server for years and this problem has hit a dead end.
Server 2012R2 Active Directory office environment (primary/secondary servers), removed Interactive Logon message 48 hours ago, and can not get the message to delete off from the clients. Refresh time on clients is set to 60 mins, server refresh is 30 mins, rebooted everything several times, have run every manual gpupdate option several times, no errors in output of "gpresult /v >c:\gpresult.txt", and the clients registry keys which I can not get to update is Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
Any help much appreciated.
Dear folks,
Please guide me, How to secure and improve my active directory environment,
Is there any automation script?
Such as,
GPO backup/restore,
SSB backup/restore,
DHCP backup/restore,
DNS Backup/restore,
Please share me such kind of further improvements,
I'm trying to understand the output of this DFSR report. It's saying certain files can't be replicated in the root. When I look at the root of the folder and show hidden and system files I do not see the files listed in the report. Here is one example. I have another DFSR relationship that shows many more instances. Any ideas what causes this?
Guys,
When in a DFS environment, how should i create roaming profiles and home folders ? Anyone who has a decent tutorial for that?
I dont think it would be wise to let the profiles be synced. The homefolders could be synced by DFS, i guess.
thanks in advance.
Dear Support,
We cannot DCpromo Windows Server with the following error message for Prerequisites Check.
Error Message:
Verification of prerequisites for Domain Controller promotion failed. The folder D:\Windows\NTDS does not refer to a valid hard disk. Select a folder on a hard disk drive.
Could you have any idea?
Thanks!
Best Regards,
Daniel
Hello,
I've been trying to follow some posts out there that show how to setup and configure the SNMP feature in Windows server, however, the GPO alone never installs the service. I don;t know if I'm missing a step , or if it isn't possible to install the feature with a GPO.
I created a single GPO that creates a firewall rule to allow ICPMv4, and in the same GPO I have configured the settings for a typical snmp configuration.
I tried to follow this posts without editing the registry because I don't think it applies in my case:
https://glazenbakje.wordpress.com/2016/03/18/microsoft-snmp-settings-via-group-policy/
Is it possible that you can configure the settings in GPO but not actually install the feature? That would seem a little useless so I hope that's not the case. I could probably run a PS script from GPO if necessary.
Thanks
